Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
aland at deployingradius.com
Tue Dec 1 19:18:14 CET 2009
Meyers, Dan wrote:
>> This is most likely a CA cert problem. The comments in the default
>> "eap.conf" give a very specific warning about this (access-challenge
>> which is never replied to) and explain the issue.
> This being the case, why does my machine successfully respond to all the
> other Access-Challenges before the MSCHAPv2 password is dealt with?
It is setting up a TLS tunnel, and doing certificate exchanges. In
this regard, RADIUS is *just* like ethernet. When you connect to a web
server via HTTPS, there is a *lot* of network traffic before you get the
real content: the web page.
With PEAP, the real content is the username && password in the tunnel.
If the client doesn't like the server certificate, it spends a lot of
time (and packets) figuring that out.
> trace I gave was for an Access-Challenge id 107. Ids 100 (my initial
> request) to 106 (the other parts of the EAP setup) all finish with an
> Access-Challenge with an EAP-Message being sent to my client, and all of
> those Challenges are successfully responded to.
Use wireshark to look at the packets. All it's doing is TLS setup,
and certificate exchanges. *No* user authentication is happening.
> It was also my (possibly
> erroneous) understanding that FreeRADIUS would never get to the point of
> being able to get the MSCHAPv2 password from the client if the CA cert
> was incorrect, as it would never complete the setup of the EAP session
> inside which the MSCHAPv2 data is contained.
Yes. That's what you're seeing. The *client* is deciding it doesn't
like the certificate, and is stopping.
Remember... the RADIUS server has nearly *zero* power in the network.
The NAS controls almost everything. The supplicant (client machine)
controls almost everything else. The server has the *least* amount of
> Additionally I am using exactly the same certificates, file ownership
> and permissions and eap.conf settings that worked fine before the AD
> upgrade, and the certificates are not used in talking to the domain to
> auth credentials so I can't think that the issue lies there.
<shrug> It's Windows. It's difficult to tell what it's doing. AD
upgrades intentionally break inter-operability with Samba, and XP /
Vista upgrades intentionally break inter-operability with all
third-party RADIUS servers.
And FreeRADIUS always gets the blame. It explains why I come across
as cranky much of the time.
> I am perfectly willing to accept that you may be right and this may be
> my issue, I just don't understand how it has suddenly become a problem.
Ask Microsoft for explanations && fixes. If you get *any* response,
it will be "thanks, we'll look into that".
The people on this list are stuck just as much as you are. But we try
to help, which makes a certain class of people think everything is *our*
More information about the Freeradius-Users